Logic & Proofs for Cyber-Physical Systems Andr e Platzer - - PowerPoint PPT Presentation

Logic & Proofs for Cyber-Physical Systems

Andr´ e Platzer

aplatzer@cs.cmu.edu Computer Science Department Carnegie Mellon University, Pittsburgh, PA

0.2 0.4 0.6 0.8 1.0

0.1 0.2 0.3 0.4 0.5

Andr´ e Platzer (CMU) Logic & Proofs for Cyber-Physical Systems IJCAR’16 1 / 27

Outline

1

CPS are Multi-Dynamical Systems Hybrid Systems Hybrid Games Stochastic Hybrid Systems Distributed Hybrid Systems

2

Dynamic Logic of Multi-Dynamical Systems

3

Proofs for CPS

4

Theory of CPS Soundness and Completeness Differential Invariants Differential Axioms Example: Elementary Differential Invariants

5

Applications

6

Summary

Andr´ e Platzer (CMU) Logic & Proofs for Cyber-Physical Systems IJCAR’16 1 / 27

Cyber-Physical Systems Analysis: Aircraft Example

Which control decisions are safe for aircraft collision avoidance?

Cyber-Physical Systems

CPSs combine cyber capabilities with physical capabilities to solve problems that neither part could solve alone.

Andr´ e Platzer (CMU) Logic & Proofs for Cyber-Physical Systems IJCAR’16 2 / 27

CPSs Promise Transformative Impact!

Prospects: Safe & Efficient

Driver assistance Autonomous cars Pilot decision support Autopilots / UAVs Train protection Robots near humans

Prerequisite: CPSs need to be safe

How do we make sure CPSs make the world a better place?

Andr´ e Platzer (CMU) Logic & Proofs for Cyber-Physical Systems IJCAR’16 3 / 27

Can you trust a computer to control physics?

Andr´ e Platzer (CMU) Logic & Proofs for Cyber-Physical Systems IJCAR’16 4 / 27

Can you trust a computer to control physics?

1 Depends on how it has been programmed 2 And on what will happen if it malfunctions

Rationale

1 Safety guarantees require analytic foundations. 2 A common foundational core helps all application domains. 3 Foundations revolutionized digital computer science & our society. 4 Need even stronger foundations when software reaches out into our

physical world.

CPSs deserve proofs as safety evidence!

Andr´ e Platzer (CMU) Logic & Proofs for Cyber-Physical Systems IJCAR’16 4 / 27

CPSs are Multi-Dynamical Systems

d i s c r e t e c

• n

t i n u

• u

s nondet stochastic a d v e r s a r i a l

CPS Dynamics

CPS are characterized by multiple facets of dynamical systems.

CPS Compositions

CPS combines multiple simple dynamical effects. Descriptive simplification

Tame Parts

Exploiting compositionality tames CPS complexity. Analytic simplification

Andr´ e Platzer (CMU) Logic & Proofs for Cyber-Physical Systems IJCAR’16 5 / 27

CPSs are Multi-Dynamical Systems

d i s c r e t e c

• n

t i n u

• u

s nondet stochastic a d v e r s a r i a l

hybrid systems

HS = discrete + ODE

stochastic hybrid sys.

SHS = HS + stochastics

5 10 15 20 0.3 0.2 0.1 0.1 0.2 0.3

hybrid games

HG = HS + adversary

distributed hybrid sys.

DHS = HS + distributed

Andr´ e Platzer (CMU) Logic & Proofs for Cyber-Physical Systems IJCAR’16 6 / 27

Dynamic Logics for Dynamical Systems

d i s c r e t e c

• n

t i n u

• u

s nondet stochastic a d v e r s a r i a l

differential dynamic logic

dL = DL + HP [α]φ φ α

stochastic differential DL

SdL = DL + SHP αφ φ

differential game logic

dGL = GL + HG αφ φ

quantified differential DL

QdL = FOL + DL + QHP

JAR’08,CADE’11,LMCS’12,LICS’12 LICS’12,CADE’15,TOCL’15 Andr´ e Platzer (CMU) Logic & Proofs for Cyber-Physical Systems IJCAR’16 7 / 27

CPS Analysis

Concept (Differential Dynamic Logic) (JAR’08,LICS’12)

1 2 3 4 5 6 0.0 0.5 1.0 1.5 2.0 2.5 3.0 3.5

1 2 3 4 5 6 7 t 2.5 2.0 1.5 1.0 0.5 0.0 0.5a 1 2 3 4 5 6 7 t 2 2 4 6v

m

1 2 3 4 5 6 7 t 2 2 4 6 8 10

x

[α]ϕ ϕ α

Andr´ e Platzer (CMU) Logic & Proofs for Cyber-Physical Systems IJCAR’16 8 / 27

CPS Analysis

Concept (Differential Dynamic Logic) (JAR’08,LICS’12)

x = m x = m x = m x = m

1 2 3 4 5 6 7 t 2.5 2.0 1.5 1.0 0.5 0.0 0.5a 1 2 3 4 5 6 7 t 2 2 4 6v

m

1 2 3 4 5 6 7 t 2 2 4 6 8 10

x

[α]ϕ ϕ α

Andr´ e Platzer (CMU) Logic & Proofs for Cyber-Physical Systems IJCAR’16 8 / 27

CPS Analysis

Concept (Differential Dynamic Logic) (JAR’08,LICS’12)

[ ] x = m x = m x = m x = m

1 2 3 4 5 6 7 t 2.5 2.0 1.5 1.0 0.5 0.0 0.5a 1 2 3 4 5 6 7 t 2 2 4 6v

m

1 2 3 4 5 6 7 t 2 2 4 6 8 10

x

[α]ϕ ϕ α

Andr´ e Platzer (CMU) Logic & Proofs for Cyber-Physical Systems IJCAR’16 8 / 27

CPS Analysis

Concept (Differential Dynamic Logic) (JAR’08,LICS’12)

[ ] x = m x = m x = m x = m x′ = v, v′ = a

1 2 3 4 5 6 7 t 2.5 2.0 1.5 1.0 0.5 0.0 0.5a 1 2 3 4 5 6 7 t 2 2 4 6v

m

1 2 3 4 5 6 7 t 2 2 4 6 8 10

x

ODE

[α]ϕ ϕ α

Andr´ e Platzer (CMU) Logic & Proofs for Cyber-Physical Systems IJCAR’16 8 / 27

CPS Analysis

Concept (Differential Dynamic Logic) (JAR’08,LICS’12)

[ ] x = m x = m x = m x = m a := −b x′ = v, v′ = a

1 2 3 4 5 6 7 t 2.5 2.0 1.5 1.0 0.5 0.0 0.5a 1 2 3 4 5 6 7 t 2 2 4 6v

m

1 2 3 4 5 6 7 t 2 2 4 6 8 10

x

ODE assign

[α]ϕ ϕ α

Andr´ e Platzer (CMU) Logic & Proofs for Cyber-Physical Systems IJCAR’16 8 / 27

CPS Analysis

Concept (Differential Dynamic Logic) (JAR’08,LICS’12)

[ ] x = m x = m x = m x = m (if(SB(x, m)) a := −b) x′ = v, v′ = a

1 2 3 4 5 6 7 t 2.5 2.0 1.5 1.0 0.5 0.0 0.5a 1 2 3 4 5 6 7 t 2 2 4 6v

m

1 2 3 4 5 6 7 t 2 2 4 6 8 10

x

ODE assign test

[α]ϕ ϕ α

Andr´ e Platzer (CMU) Logic & Proofs for Cyber-Physical Systems IJCAR’16 8 / 27

CPS Analysis

Concept (Differential Dynamic Logic) (JAR’08,LICS’12)

(if(SB(x, m)) a := −b) ; x′ = v, v′ = a

1 2 3 4 5 6 7 t 2.5 2.0 1.5 1.0 0.5 0.0 0.5a 1 2 3 4 5 6 7 t 2 2 4 6v

m

1 2 3 4 5 6 7 t 2 2 4 6 8 10

x

ODE assign test seq. compose

[α]ϕ ϕ α

Andr´ e Platzer (CMU) Logic & Proofs for Cyber-Physical Systems IJCAR’16 8 / 27

CPS Analysis

Concept (Differential Dynamic Logic) (JAR’08,LICS’12)

• (if(SB(x, m)) a := −b) ; x′ = v, v′ = a

∗

1 2 3 4 5 6 7 t 2.5 2.0 1.5 1.0 0.5 0.0 0.5a 1 2 3 4 5 6 7 t 2 2 4 6v

m

1 2 3 4 5 6 7 t 2 2 4 6 8 10

x

ODE assign test seq. compose nondet. repeat

[α]ϕ ϕ α

Andr´ e Platzer (CMU) Logic & Proofs for Cyber-Physical Systems IJCAR’16 8 / 27

CPS Analysis

Concept (Differential Dynamic Logic) (JAR’08,LICS’12)

[ ] x = m x = m x = m x = m

• (if(SB(x, m)) a := −b) ; x′ = v, v′ = a

∗ x = m

post

1 2 3 4 5 6 7 t 2.5 2.0 1.5 1.0 0.5 0.0 0.5a 1 2 3 4 5 6 7 t 2 2 4 6v

m

1 2 3 4 5 6 7 t 2 2 4 6 8 10

x

all runs

[α]ϕ ϕ α

Andr´ e Platzer (CMU) Logic & Proofs for Cyber-Physical Systems IJCAR’16 8 / 27

CPS Analysis

Concept (Differential Dynamic Logic) (JAR’08,LICS’12)

[ ] x = m x = m x = m x = m x = m ∧ b > 0

• init

→

• (if(SB(x, m)) a := −b) ; x′ = v, v′ = a

∗ x = m

post

1 2 3 4 5 6 7 t 2.5 2.0 1.5 1.0 0.5 0.0 0.5a 1 2 3 4 5 6 7 t 2 2 4 6v

m

1 2 3 4 5 6 7 t 2 2 4 6 8 10

x

all runs

[α]ϕ ϕ α

Andr´ e Platzer (CMU) Logic & Proofs for Cyber-Physical Systems IJCAR’16 8 / 27

Differential Dynamic Logic dL: Syntax

Definition (Hybrid program α)

x := f (x) | ?Q | x′ = f (x) & Q | α ∪ β | α; β | α∗

Definition (dL Formula P)

e ≥ ˜ e | ¬P | P ∧ Q | ∀x P | ∃x P | [α]P | αP Tableaux’07,JAutomReas’08,LICS’12

Andr´ e Platzer (CMU) Logic & Proofs for Cyber-Physical Systems IJCAR’16 9 / 27

Differential Dynamic Logic dL: Syntax

Definition (Hybrid program α)

x := f (x) | ?Q | x′ = f (x) & Q | α ∪ β | α; β | α∗

Definition (dL Formula P)

e ≥ ˜ e | ¬P | P ∧ Q | ∀x P | ∃x P | [α]P | αP Discrete Assign Test Condition Differential Equation Nondet. Choice Seq. Compose Nondet. Repeat All Reals Some Reals All Runs Some Runs Tableaux’07,JAutomReas’08,LICS’12

Andr´ e Platzer (CMU) Logic & Proofs for Cyber-Physical Systems IJCAR’16 9 / 27

Differential Dynamic Logic: Axiomatization

[:=] [x := e]P(x) ↔ P(e) [?] [?Q]P ↔ (Q → P) [′] [x′ = f (x)]P ↔ ∀t≥0 [x := y(t)]P (y′(t) = f (y)) [∪] [α ∪ β]P ↔ [α]P ∧ [β]P [;] [α; β]P ↔ [α][β]P [∗] [α∗]P ↔ P ∧ [α][α∗]P K [α](P → Q) → ([α]P → [α]Q) I [α∗](P → [α]P) → (P → [α∗]P) C [α∗]∀v>0 (P(v) → αP(v−1)) → ∀v (P(v) → α∗∃v≤0 P(v)) equations of truth LICS’12,CADE’15

Andr´ e Platzer (CMU) Logic & Proofs for Cyber-Physical Systems IJCAR’16 10 / 27

Complete Proof Theory of Hybrid Systems

Theorem (Sound & Complete) (J.Autom.Reas. 2008, LICS’12)

dL calculus is a sound & complete axiomatization of hybrid systems relative to either differential equations or to discrete dynamics.

Proof 25pp

Corollary (Complete Proof-theoretical Bridge)

proving continuous = proving hybrid = proving discrete JAutomReas’08,LICS’12

Andr´ e Platzer (CMU) Logic & Proofs for Cyber-Physical Systems IJCAR’16 11 / 27

Complete Proof Theory of Hybrid Systems

Theorem (Sound & Complete) (J.Autom.Reas. 2008, LICS’12)

dL calculus is a sound & complete axiomatization of hybrid systems relative to either differential equations or to discrete dynamics.

Proof 25pp

Corollary (Complete Proof-theoretical Bridge)

proving continuous = proving hybrid = proving discrete

System Continuous Discrete Hybrid

JAutomReas’08,LICS’12

Andr´ e Platzer (CMU) Logic & Proofs for Cyber-Physical Systems IJCAR’16 11 / 27

Complete Proof Theory of Hybrid Systems

Theorem (Sound & Complete) (J.Autom.Reas. 2008, LICS’12)

dL calculus is a sound & complete axiomatization of hybrid systems relative to either differential equations or to discrete dynamics.

Proof 25pp

Corollary (Complete Proof-theoretical Bridge)

proving continuous = proving hybrid = proving discrete

System Continuous Discrete Hybrid Hybrid Theory Discrete Theory Contin. Theory

JAutomReas’08,LICS’12

Andr´ e Platzer (CMU) Logic & Proofs for Cyber-Physical Systems IJCAR’16 11 / 27

Differential Invariants for Differential Equations

Differential Invariant Differential Cut Differential Ghost

t x x′ = f (x)

DI= DI=,∧,∨ DI> DI>,∧,∨ DI≥ DI≥,∧,∨ DI DI≥,=,∧,∨ DI>,=,∧,∨

Logic

Provability theory

Math

Character- istic PDE JLogComput’10,CAV’08,FMSD’09,LMCS’12,LICS’12,ITP’12,CADE’15

Andr´ e Platzer (CMU) Logic & Proofs for Cyber-Physical Systems IJCAR’16 12 / 27

Differential Invariants for Differential Equations

Differential Invariant Differential Cut Differential Ghost

t x x′ = f (x)

DI= DI=,∧,∨ DI> DI>,∧,∨ DI≥ DI≥,∧,∨ DI DI≥,=,∧,∨ DI>,=,∧,∨

Logic

Provability theory

Math

Character- istic PDE JLogComput’10,CAV’08,FMSD’09,LMCS’12,LICS’12,ITP’12,CADE’15

Andr´ e Platzer (CMU) Logic & Proofs for Cyber-Physical Systems IJCAR’16 12 / 27

Differential Invariants for Differential Equations

Differential Invariant Differential Cut Differential Ghost

t x x′ = f (x)

DI= DI=,∧,∨ DI> DI>,∧,∨ DI≥ DI≥,∧,∨ DI DI≥,=,∧,∨ DI>,=,∧,∨

Logic

Provability theory

Math

Character- istic PDE JLogComput’10,CAV’08,FMSD’09,LMCS’12,LICS’12,ITP’12,CADE’15

Andr´ e Platzer (CMU) Logic & Proofs for Cyber-Physical Systems IJCAR’16 12 / 27

Differential Invariants for Differential Equations

Differential Invariant Differential Cut Differential Ghost

t x x′ = f (x)

DI= DI=,∧,∨ DI> DI>,∧,∨ DI≥ DI≥,∧,∨ DI DI≥,=,∧,∨ DI>,=,∧,∨

Logic

Provability theory

Math

Character- istic PDE JLogComput’10,CAV’08,FMSD’09,LMCS’12,LICS’12,ITP’12,CADE’15

Andr´ e Platzer (CMU) Logic & Proofs for Cyber-Physical Systems IJCAR’16 12 / 27

Differential Invariants for Differential Equations

Differential Invariant Differential Cut Differential Ghost

t x x′ = f (x)

DI= DI=,∧,∨ DI> DI>,∧,∨ DI≥ DI≥,∧,∨ DI DI≥,=,∧,∨ DI>,=,∧,∨

Logic

Provability theory

Math

Character- istic PDE JLogComput’10,CAV’08,FMSD’09,LMCS’12,LICS’12,ITP’12,CADE’15

Andr´ e Platzer (CMU) Logic & Proofs for Cyber-Physical Systems IJCAR’16 12 / 27

Differential Invariants for Differential Equations

Differential Invariant Differential Cut Differential Ghost

t x x′ = f (x)

DI= DI=,∧,∨ DI> DI>,∧,∨ DI≥ DI≥,∧,∨ DI DI≥,=,∧,∨ DI>,=,∧,∨

Logic

Provability theory

Math

Character- istic PDE JLogComput’10,CAV’08,FMSD’09,LMCS’12,LICS’12,ITP’12,CADE’15

Andr´ e Platzer (CMU) Logic & Proofs for Cyber-Physical Systems IJCAR’16 12 / 27

Differential Invariants for Differential Equations

Differential Invariant Differential Cut Differential Ghost

t x x′ = f (x)

DI= DI=,∧,∨ DI> DI>,∧,∨ DI≥ DI≥,∧,∨ DI DI≥,=,∧,∨ DI>,=,∧,∨

Logic

Provability theory

Math

Character- istic PDE JLogComput’10,CAV’08,FMSD’09,LMCS’12,LICS’12,ITP’12,CADE’15

Andr´ e Platzer (CMU) Logic & Proofs for Cyber-Physical Systems IJCAR’16 12 / 27

Differential Invariants for Differential Equations

Differential Invariant Differential Cut Differential Ghost

t x x′ = f (x)

DI= DI=,∧,∨ DI> DI>,∧,∨ DI≥ DI≥,∧,∨ DI DI≥,=,∧,∨ DI>,=,∧,∨

Logic

Provability theory

Math

Character- istic PDE JLogComput’10,CAV’08,FMSD’09,LMCS’12,LICS’12,ITP’12,CADE’15

Andr´ e Platzer (CMU) Logic & Proofs for Cyber-Physical Systems IJCAR’16 12 / 27

Differential Invariants for Differential Equations

Differential Invariant Differential Cut Differential Ghost

t x x′ = f (x)

DI= DI=,∧,∨ DI> DI>,∧,∨ DI≥ DI≥,∧,∨ DI DI≥,=,∧,∨ DI>,=,∧,∨

Logic

Provability theory

Math

Character- istic PDE JLogComput’10,CAV’08,FMSD’09,LMCS’12,LICS’12,ITP’12,CADE’15

Andr´ e Platzer (CMU) Logic & Proofs for Cyber-Physical Systems IJCAR’16 12 / 27

Differential Invariants for Differential Equations

Differential Invariant Differential Cut Differential Ghost

t x x′ = f (x)

DI= DI=,∧,∨ DI> DI>,∧,∨ DI≥ DI≥,∧,∨ DI DI≥,=,∧,∨ DI>,=,∧,∨

Logic

Provability theory

Math

Character- istic PDE JLogComput’10,CAV’08,FMSD’09,LMCS’12,LICS’12,ITP’12,CADE’15

Andr´ e Platzer (CMU) Logic & Proofs for Cyber-Physical Systems IJCAR’16 12 / 27

Differential Invariants for Differential Equations

Differential Invariant Differential Cut Differential Ghost

t x x′ = f (x) y′ = g(x, y)

DI= DI=,∧,∨ DI> DI>,∧,∨ DI≥ DI≥,∧,∨ DI DI≥,=,∧,∨ DI>,=,∧,∨

Logic

Provability theory

Math

Character- istic PDE JLogComput’10,CAV’08,FMSD’09,LMCS’12,LICS’12,ITP’12,CADE’15

Andr´ e Platzer (CMU) Logic & Proofs for Cyber-Physical Systems IJCAR’16 12 / 27

Differential Invariants for Differential Equations

Differential Invariant Differential Cut Differential Ghost

t x x′ = f (x) y′ = g(x, y) inv

DI= DI=,∧,∨ DI> DI>,∧,∨ DI≥ DI≥,∧,∨ DI DI≥,=,∧,∨ DI>,=,∧,∨

Logic

Provability theory

Math

Character- istic PDE JLogComput’10,CAV’08,FMSD’09,LMCS’12,LICS’12,ITP’12,CADE’15

Andr´ e Platzer (CMU) Logic & Proofs for Cyber-Physical Systems IJCAR’16 12 / 27

Differential Equation Axioms & Differential Axioms

DW [x′ = f (x) & Q]Q DC

• [x′ = f (x) & Q]P ↔ [x′ = f (x) & Q∧R]P
• ← [x′ = f (x) & Q]R

DE [x′ = f (x) & Q]P ↔ [x′ = f (x) & Q][x′ := f (x)]P DI

• [x′ = f (x) & Q]P ↔ [?Q]P
• ← [x′ = f (x) & Q](P)′

DG [x′ = f (x) & Q]P ↔ ∃y [x′ = f (x), y′ = a(x)y + b(x) & Q]P DS [x′ = c() & Q]P ↔ ∀t≥0

• (∀0≤s≤t q(x+c()s)) → [x := x+c()t]P
• [′:=] [x′ := e]p(x′) ↔ p(e)

+′ (e + k)′ = (e)′ + (k)′ ·′ (e · k)′ = (e)′ · k + e · (k)′

• ′ [y := g(x)][y′ := 1]
• (f (g(x)))′ = (f (y))′ · (g(x))′

CADE’15

Andr´ e Platzer (CMU) Logic & Proofs for Cyber-Physical Systems IJCAR’16 13 / 27

Differential Equation Axioms

Axiom (Differential Weakening) (CADE’15)

DW [x′ = f (x) & Q]Q t x Q w u r x′ = f (x) & Q ¬Q Differential equations cannot leave their evolution domains. Implies: [x′ = f (x) & Q]P ↔ [x′ = f (x) & Q]

• Q → P
• Andr´

e Platzer (CMU) Logic & Proofs for Cyber-Physical Systems IJCAR’16 14 / 27

Differential Equation Axioms

Axiom (Differential Cut) (CADE’15)

DC

• [x′ = f (x) & Q]P ↔ [x′ = f (x) & Q∧R]P
• ← [x′ = f (x) & Q]R

t x Q w u r x′ = f (x) & Q w Q DC is a cut for differential equations. DC is a differential modal modus ponens K. Can’t leave R, then might as well restrict state space to R.

Andr´ e Platzer (CMU) Logic & Proofs for Cyber-Physical Systems IJCAR’16 14 / 27

Differential Equation Axioms

Axiom (Differential Invariant) (CADE’15)

DI

• [x′ = f (x) & Q]P ↔ [?Q]P
• ← [x′ = f (x) & Q](P)′

t x Q w u r x′ = f (x) & Q

¬ ¬F

F F

Differential invariant: if P true now and if differential (P)′ true always What’s the differential of a formula??? What’s the meaning of a differential term . . . in a state???

Andr´ e Platzer (CMU) Logic & Proofs for Cyber-Physical Systems IJCAR’16 14 / 27

Differential Equation Axioms

Axiom (Differential Effect) (CADE’15)

DE [x′ = f (x) & Q]P ↔ [x′ = f (x) & Q][x′ := f (x)]P t x Q w u r x′ = f (x) & Q x′ f (x) Effect of differential equation on differential symbol x′ [x′ := f (x)] instantly mimics continuous effect [x′ = f (x)] on x′ [x′ := f (x)] selects vector field x′ = f (x) for subsequent differentials

Andr´ e Platzer (CMU) Logic & Proofs for Cyber-Physical Systems IJCAR’16 14 / 27

Differential Equation Axioms

Axiom (Differential Ghost) (CADE’15)

DG [x′ = f (x) & Q]P ↔ ∃y [x′ = f (x), y′ = a(x)y + b(x) & Q]P t x Q w u r x′ = f (x) & Q y′ = a(x)y + b(x)

t x x′ = f(x) y′ = g ( x , y ) inv

Differential ghost/auxiliaries: extra differential equations that exist Can cause new invariants “Dark matter” counterweight to balance conserved quantities

Andr´ e Platzer (CMU) Logic & Proofs for Cyber-Physical Systems IJCAR’16 14 / 27

Differential Invariants for Differential Equations

ω2x2+y2≤c2 ⊢ [x′ = y, y′ = −ω2x − 2dωy & (ω≥0 ∧ d≥0)] ω2x2+y2≤c2

x y

1 2 3 4 5 6 1.5 1.0 0.5 0.5 1.0

Andr´ e Platzer (CMU) Logic & Proofs for Cyber-Physical Systems IJCAR’16 15 / 27

Differential Invariants for Differential Equations

ω≥ 0 ∧ d≥0 ⊢ [x′:=y][y′:=−ω2x − 2dωy]2ω2xx′ + 2yy′ ≤ 0 ω2x2+y2≤c2 ⊢ [x′ = y, y′ = −ω2x − 2dωy & (ω≥0 ∧ d≥0)] ω2x2+y2≤c2

x y

1 2 3 4 5 6 1.5 1.0 0.5 0.5 1.0

Andr´ e Platzer (CMU) Logic & Proofs for Cyber-Physical Systems IJCAR’16 15 / 27

Differential Invariants for Differential Equations

ω≥0 ∧ d≥0 ⊢ 2ω2xy + 2y(−ω2x − 2dωy) ≤ 0 ω≥ 0 ∧ d≥0 ⊢ [x′:=y][y′:=−ω2x − 2dωy]2ω2xx′ + 2yy′ ≤ 0 ω2x2+y2≤c2 ⊢ [x′ = y, y′ = −ω2x − 2dωy & (ω≥0 ∧ d≥0)] ω2x2+y2≤c2

x y

1 2 3 4 5 6 1.5 1.0 0.5 0.5 1.0

Andr´ e Platzer (CMU) Logic & Proofs for Cyber-Physical Systems IJCAR’16 15 / 27

Differential Invariants for Differential Equations

∗ ω≥0 ∧ d≥0 ⊢ 2ω2xy + 2y(−ω2x − 2dωy) ≤ 0 ω≥ 0 ∧ d≥0 ⊢ [x′:=y][y′:=−ω2x − 2dωy]2ω2xx′ + 2yy′ ≤ 0 ω2x2+y2≤c2 ⊢ [x′ = y, y′ = −ω2x − 2dωy & (ω≥0 ∧ d≥0)] ω2x2+y2≤c2

x y

1 2 3 4 5 6 1.5 1.0 0.5 0.5 1.0

Andr´ e Platzer (CMU) Logic & Proofs for Cyber-Physical Systems IJCAR’16 15 / 27

Differential Invariants for Differential Equations

∗ ω≥0 ∧ d≥0 ⊢ 2ω2xy + 2y(−ω2x − 2dωy) ≤ 0 ω≥ 0 ∧ d≥0 ⊢ [x′:=y][y′:=−ω2x − 2dωy]2ω2xx′ + 2yy′ ≤ 0 ω2x2+y2≤c2 ⊢ [x′ = y, y′ = −ω2x − 2dωy & (ω≥0 ∧ d≥0)] ω2x2+y2≤c2

x y

1 2 3 4 5 6 1.5 1.0 0.5 0.5 1.0

Andr´ e Platzer (CMU) Logic & Proofs for Cyber-Physical Systems IJCAR’16 15 / 27

Airborne Collision Avoidance System ACAS X: Verify

Developed by the FAA to replace current TCAS in aircraft Approximately optimizes Markov Decision Process on a grid Advisory from lookup tables with numerous 5D interpolation regions

1 Identified safe region for each advisory symbolically 2 Proved safety for hybrid systems flight model in KeYmaera X

TACAS’15,EMSOFT’15

Andr´ e Platzer (CMU) Logic & Proofs for Cyber-Physical Systems IJCAR’16 16 / 27

Airborne Collision Avoidance System ACAS X: Compare

ACAS X table comparison shows safe advisory in 97.7% of the 648,591,384,375 states compared (15,160,434,734 counterexamples). ACAS X issues DNC advisory, which induces collision unless corrected TACAS’15,EMSOFT’15

Andr´ e Platzer (CMU) Logic & Proofs for Cyber-Physical Systems IJCAR’16 17 / 27

Airborne Collision Avoidance System ACAS X: Refine

Conservative, so too many counterexamples Settle for: safe for a little while with safe possible future Safeable advisory: a subsequent advisory can safely avoid collision

1 Identified safeable region for each advisory symbolically 2 Proved safety for hybrid systems flight model in KeYmaera X

STTT

Andr´ e Platzer (CMU) Logic & Proofs for Cyber-Physical Systems IJCAR’16 18 / 27

Airborne Collision Avoidance System ACAS X: Compare

ACAS X table comparison shows safeable advisory in more of the 648,591,384,375 states compared (≈31.6 to 898.7 106 counterexamples). ACAS X issues Maintain advisory instead of CL1500 STTT

Andr´ e Platzer (CMU) Logic & Proofs for Cyber-Physical Systems IJCAR’16 19 / 27

Airborne Collision Avoidance System ACAS X: Compare

ACAS X table comparison shows safeable advisory in more of the 648,591,384,375 states compared (≈31.6 to 898.7 106 counterexamples). ACAS X issues Maintain advisory instead of CL1500 STTT

Andr´ e Platzer (CMU) Logic & Proofs for Cyber-Physical Systems IJCAR’16 19 / 27

Verified CPS Applications

• x

y c

 

c

• x

e n t r y e x i t

• y

c

• c
• x
• y
• z

xi xj p xk xl xm

ICFEM’09,JAIS’14,TACAS’15,EMSOFT’15,CAV’08,FM’09,HSCC’11,HSCC’13,TACAS’14

Andr´ e Platzer (CMU) Logic & Proofs for Cyber-Physical Systems IJCAR’16 20 / 27

Verified CPS Applications

✔

✗

ey fy xb (lx, ly) ex fx (rx, ry) (vx, vy)

FM’11,LMCS’12,ICCPS’12,ITSC’11,ITSC’13,IJCAR’12

Andr´ e Platzer (CMU) Logic & Proofs for Cyber-Physical Systems IJCAR’16 20 / 27

Verified CPS Applications

1 2 3 4 5 6 0.0 0.5 1.0 1.5 2.0 2.5 3.0 3.5 1 2 3 4 5 6 0.0 0.5 1.0 1.5 2.0 2.5 3.0 3.5

1 2 3 4 5 6 0.0 0.5 1.0 1.5 2.0 2.5 3.0 3.5 1 2 3 4 5 6 0.0 0.5 1.0 1.5 2.0 2.5 3.0 3.5 1 2 3 4 5 6 0.0 0.5 1.0 1.5 2.0 2.5 3.0 3.5

5 10 15 20 0.3 0.2 0.1 0.1 0.2 0.3 0.3 0.2 0.1 0.0 0.1 0.2 0.3 0.3 0.2 0.1 0.0 0.1 0.2 0.3

0.2 0.4 0.6 0.8 1.0 1 1

• HSCC’13,RSS’13,CADE’12

Andr´ e Platzer (CMU) Logic & Proofs for Cyber-Physical Systems IJCAR’16 20 / 27

Verified CPS Applications www.lfcps.org/course/

1 2 3 4 5 6 0.0 0.5 1.0 1.5 2.0 2.5 3.0 3.5 1 2 3 4 5 6 0.0 0.5 1.0 1.5 2.0 2.5 3.0 3.5

1 2 3 4 0.0 0.5 1.0 1.5 2.0 2.5

1 2 3 4 5 6 0.0 0.5 1.0 1.5 2.0 2.5 3.0 3.5 1 2 3 4 5 6 0.0 0.5 1.0 1.5 2.0 2.5 3.0 3.5 1 2 3 4 5 6 0.0 0.5 1.0 1.5 2.0 2.5 3.0 3.5

15-424/624/824 Foundations of Cyber-Physical Systems students

Andr´ e Platzer (CMU) Logic & Proofs for Cyber-Physical Systems IJCAR’16 20 / 27

CPS V&V Grand Prix: Undergrad Course Competition

2016 CPS V&V Grand Prix Carnegie Mellon University May 5th, 2016

Andr´ e Platzer (CMU) Logic & Proofs for Cyber-Physical Systems IJCAR’16 21 / 27

An aXiomatic Tactical Theorem Prover for CPS

KeYmaera X http://keymaeraX.org/ CADE’15

Andr´ e Platzer (CMU) Logic & Proofs for Cyber-Physical Systems IJCAR’16 22 / 27

An aXiomatic Tactical Theorem Prover for CPS

KeYmaera X http://keymaeraX.org/ Small Core Increases trust, modularity, enables experimentation (1652) Tactics Bridging between small core and (Hilbert) powerful reasoning steps (Sequent) Separation Tactics can make courageous inferences Core establishes soundness Search&Do Search-based tactics follow proof search strategies Constructive tactics directly build a proof Interaction Interactive proofs mixed with tactical proofs and proof search Extensible Flexible for new algorithms, new tactics, new logics, new proof rules, new axioms, . . . Customize Modular user interface, API CADE’15

Andr´ e Platzer (CMU) Logic & Proofs for Cyber-Physical Systems IJCAR’16 22 / 27

KeYmaera X Microkernel for Soundness

≈LOC KeYmaera X 1 652 KeYmaera 65 989 KeY 51 328 Nuprl 15 000 + 50 000 MetaPRL 8 196 Isabelle/Pure 8 113 Coq 20 000 HOL Light 396 PHAVer 30 000 HSolver 20 000 SpaceEx 100 000 Flow∗ 25 000 dReal 50 000 + millions HyCreate2 6 081 + user model analysis

Disclaimer: Self-reported estimates of the soundness-critical lines of code + rules hybrid prover Java

• general

math hybrid verifier

Andr´ e Platzer (CMU) Logic & Proofs for Cyber-Physical Systems IJCAR’16 23 / 27

Uniform Substitution

Theorem (Soundness) replace all occurrences of p(·)

(US) φ σ(φ) provided FV(σ|Σ(θ)) ∩ BV(⊗(·)) = ∅ for each operation ⊗(θ) in φ i.e. bound variables U = BV(⊗(·)) of operator ⊗ are not free in the substitution on its argument θ (U-admissible)

US

[a ∪ b]p(¯ x) ↔ [a]p(¯ x) ∧ [b]p(¯ x) [x := x + 1 ∪ x′ = 1]x ≥ 0 ↔ [x := x + 1]x ≥ 0 ∧ [x′ = 1]x ≥ 0

Andr´ e Platzer (CMU) Logic & Proofs for Cyber-Physical Systems IJCAR’16 24 / 27

Acknowledgments

Students and postdocs of the Logical Systems Lab at Carnegie Mellon Brandon Bohrer, Nathan Fulton, David Henriques, Sarah Loos, Jo˜ ao Martins Erik Zawadzki, Khalil Ghorbal, Jean-Baptiste Jeannin, Stefan Mitsch

Andr´ e Platzer (CMU) Logic & Proofs for Cyber-Physical Systems IJCAR’16 25 / 27

Logic & Proofs for Cyber-Physical Systems

Logical foundations make a big difference for CPS, and vice versa

differential dynamic logic

dL = DL + HP

[α]ϕ ϕ α

Strong analytic foundations Practical reasoning advances Significant applications Catalyze many science areas

1 Multi-dynamical systems 2 Combine simple dynamics 3 Tame complexity 4 Complete axiomatization

Numerous wonders remain to be discovered

d i s c r e t e c

• n

t i n u

• u

s nondet stochastic a d v e r s a r i a l

Andr´ e Platzer (CMU) Logic & Proofs for Cyber-Physical Systems IJCAR’16 26 / 27

Logic & Proofs for Cyber-Physical Systems

Logical foundations make a big difference for CPS, and vice versa

differential dynamic logic

dL = DL + HP

[α]ϕ ϕ α

Strong analytic foundations Practical reasoning advances Significant applications Catalyze many science areas KeYmaera X Numerous wonders remain to be discovered

d i s c r e t e c

• n

t i n u

• u

s nondet stochastic a d v e r s a r i a l

Andr´ e Platzer (CMU) Logic & Proofs for Cyber-Physical Systems IJCAR’16 26 / 27

Future CPS Challenges

Numerous wonders remain to be discovered Scalable continuous stochastics CADE’11 Concurrent CPS Real arithmetic: Scalable and verified CADE’09 Verified CPS implementations, ModelPlex FMSD’16 Correct CPS execution CPS-conducive tactic languages+libraries Tactics exploiting CPS structure/linearity/. . . Invariant generation Tactics & proofs for reachable set computations Parallel proof search & disprovers Correct model transformation Inspiring applications CPSs deserve proofs as safety evidence!

d i s c r e t e c

• n

t i n u

• u

s nondet stochastic a d v e r s a r i a l

Andr´ e Platzer (CMU) Logic & Proofs for Cyber-Physical Systems IJCAR’16 27 / 27

Logical Foundations

• f

Cyber-Physical Systems

Logic

Theorem Proving Proof Theory Modal Logic Model Checking

Algebra

Computer Algebra R Algebraic Geometry Differential Algebra Lie Algebra

Analysis

Differential Equations Carath´ edory Solutions Viscosity PDE Solutions Dynamical Systems

Stochastics

Doob’s Super- martingales Dynkin’s Infinitesimal Generators Differential Generators Stochastic Differential Equations

Numerics

Hermite Interpolation Weierstraß Approx- imation Error Analysis Numerical Integration

Algorithms

Decision Procedures Proof Search Procedures Fixpoints & Lattices Closure Ordinals

Andr´ e Platzer (CMU) Logic & Proofs for Cyber-Physical Systems IJCAR’16 1 / 2

Logical Foundations

• f

Cyber-Physical Systems

Logic

Theorem Proving Proof Theory Modal Logic Model Checking

Algebra

Computer Algebra R Algebraic Geometry Differential Algebra Lie Algebra

Analysis

Differential Equations Carath´ edory Solutions Viscosity PDE Solutions Dynamical Systems

Stochastics

Doob’s Super- martingales Dynkin’s Infinitesimal Generators Differential Generators Stochastic Differential Equations

Numerics

Hermite Interpolation Weierstraß Approx- imation Error Analysis Numerical Integration

Algorithms

Decision Procedures Proof Search Procedures Fixpoints & Lattices Closure Ordinals

Andr´ e Platzer (CMU) Logic & Proofs for Cyber-Physical Systems IJCAR’16 1 / 2

Differential Dynamic Logic dL: Semantics

Definition (Hybrid program semantics) ([ [·] ] : HP → ℘(S × S))

[ [x := e] ] = {(ω, ν) : ν = ω except [ [x] ]ν = [ [e] ]ω} [ [?Q] ] = {(ω, ω) : ω ∈ [ [Q] ]} [ [x′ = f (x)] ] = {(ϕ(0), ϕ(r)) : ϕ | = x′ = f (x) for some duration r} [ [α ∪ β] ] = [ [α] ] ∪ [ [β] ] [ [α; β] ] = [ [α] ] ◦ [ [β] ] [ [α∗] ] =

• n∈N

[ [αn] ]

Definition (dL semantics) ([ [·] ] : Fml → ℘(S))

[ [e ≥ ˜ e] ] = {ω : [ [e] ]ω ≥ [ [˜ e] ]ω} [ [¬P] ] = [ [P] ]∁ [ [P ∧ Q] ] = [ [P] ] ∩ [ [Q] ] [ [αP] ] = [ [α] ] ◦ [ [P] ] = {ω : ν ∈ [ [P] ] for some ν : (ω, ν) ∈ [ [α] ]} [ [[α]P] ] = [ [¬α¬P] ] = {ω : ν ∈ [ [P] ] for all ν : (ω, ν) ∈ [ [α] ]} [ [∃x P] ] = {ω : ωr

x ∈ [

[P] ] for some r ∈ R}

Andr´ e Platzer (CMU) Logic & Proofs for Cyber-Physical Systems IJCAR’16 2 / 2

Andr´ e Platzer. Logic & proofs for cyber-physical systems. In Nicola Olivetti and Ashish Tiwari, editors, IJCAR, volume 9706 of LNCS, pages 15–21. Springer, 2016. doi:10.1007/978-3-319-40229-1_3. Andr´ e Platzer. Logics of dynamical systems. In LICS [27], pages 13–24. doi:10.1109/LICS.2012.13. Andr´ e Platzer. Differential dynamic logic for hybrid systems.

• J. Autom. Reas., 41(2):143–189, 2008.

doi:10.1007/s10817-008-9103-8. Andr´ e Platzer. A uniform substitution calculus for differential dynamic logic. In Amy Felty and Aart Middeldorp, editors, CADE, volume 9195 of LNCS, pages 467–481. Springer, 2015.

Andr´ e Platzer (CMU) Logic & Proofs for Cyber-Physical Systems IJCAR’16 2 / 2

doi:10.1007/978-3-319-21401-6_32. Andr´ e Platzer. Differential game logic. ACM Trans. Comput. Log., 17(1):1:1–1:51, 2015. doi:10.1145/2817824. Andr´ e Platzer. The complete proof theory of hybrid systems. In LICS [27], pages 541–550. doi:10.1109/LICS.2012.64. Andr´ e Platzer. A complete axiomatization of quantified differential dynamic logic for distributed hybrid systems.

• Log. Meth. Comput. Sci., 8(4):1–44, 2012.

Special issue for selected papers from CSL’10. doi:10.2168/LMCS-8(4:17)2012. Andr´ e Platzer. Stochastic differential dynamic logic for stochastic hybrid programs.

Andr´ e Platzer (CMU) Logic & Proofs for Cyber-Physical Systems IJCAR’16 2 / 2

In Nikolaj Bjørner and Viorica Sofronie-Stokkermans, editors, CADE, volume 6803 of LNCS, pages 431–445. Springer, 2011. doi:10.1007/978-3-642-22438-6_34. Andr´ e Platzer. Differential-algebraic dynamic logic for differential-algebraic programs.

• J. Log. Comput., 20(1):309–352, 2010.

doi:10.1093/logcom/exn070. Andr´ e Platzer and Edmund M. Clarke. Computing differential invariants of hybrid systems as fixedpoints. In Aarti Gupta and Sharad Malik, editors, CAV, volume 5123 of LNCS, pages 176–189. Springer, 2008. doi:10.1007/978-3-540-70545-1_17. Andr´ e Platzer and Edmund M. Clarke. Computing differential invariants of hybrid systems as fixedpoints.

• Form. Methods Syst. Des., 35(1):98–120, 2009.

Special issue for selected papers from CAV’08. doi:10.1007/s10703-009-0079-8.

Andr´ e Platzer (CMU) Logic & Proofs for Cyber-Physical Systems IJCAR’16 2 / 2

Andr´ e Platzer. The structure of differential invariants and differential cut elimination.

• Log. Meth. Comput. Sci., 8(4):1–38, 2012.

doi:10.2168/LMCS-8(4:16)2012. Andr´ e Platzer. A differential operator approach to equational differential invariants. In Lennart Beringer and Amy Felty, editors, ITP, volume 7406 of LNCS, pages 28–48. Springer, 2012. doi:10.1007/978-3-642-32347-8_3. Jean-Baptiste Jeannin, Khalil Ghorbal, Yanni Kouskoulas, Ryan Gardner, Aurora Schmidt, Erik Zawadzki, and Andr´ e Platzer. A formally verified hybrid system for the next-generation airborne collision avoidance system. In Christel Baier and Cesare Tinelli, editors, TACAS, volume 9035 of LNCS, pages 21–36. Springer, 2015. doi:10.1007/978-3-662-46681-0_2.

Andr´ e Platzer (CMU) Logic & Proofs for Cyber-Physical Systems IJCAR’16 2 / 2

Jean-Baptiste Jeannin, Khalil Ghorbal, Yanni Kouskoulas, Ryan Gardner, Aurora Schmidt, Erik Zawadzki, and Andr´ e Platzer. Formal verification of ACAS X, an industrial airborne collision avoidance system. In Alain Girault and Nan Guan, editors, EMSOFT, pages 127–136. IEEE, 2015. doi:10.1109/EMSOFT.2015.7318268. Jean-Baptiste Jeannin, Khalil Ghorbal, Yanni Kouskoulas, Aurora Schmidt, Ryan Gardner, Stefan Mitsch, and Andr´ e Platzer. A formally verified hybrid system for safe advisories in the next-generation airborne collision avoidance system, 2015. http://www.cs.cmu.edu/~aplatzer/pub/acasx-long.pdf. Andr´ e Platzer. Foundations of cyber-physical systems. Lecture Notes 15-424/624, Carnegie Mellon University, 2016. URL: http://www.cs.cmu.edu/~aplatzer/course/fcps16.html. Stefan Mitsch and Andr´ e Platzer.

Andr´ e Platzer (CMU) Logic & Proofs for Cyber-Physical Systems IJCAR’16 2 / 2

ModelPlex: Verified runtime validation of verified cyber-physical system models.

• Form. Methods Syst. Des., 2016.

Special issue of selected papers from RV’14. doi:10.1007/s10703-016-0241-z. Andr´ e Platzer. Logical Analysis of Hybrid Systems: Proving Theorems for Complex Dynamics. Springer, Heidelberg, 2010. doi:10.1007/978-3-642-14509-4. Thomas A. Henzinger. The theory of hybrid automata. In LICS, pages 278–292, Los Alamitos, 1996. IEEE Computer Society. doi:10.1109/LICS.1996.561342. Jennifer M. Davoren and Anil Nerode. Logics for hybrid systems. IEEE, 88(7):985–1010, July 2000.

Andr´ e Platzer (CMU) Logic & Proofs for Cyber-Physical Systems IJCAR’16 2 / 2

Ashish Tiwari. Abstractions for hybrid systems.

• Form. Methods Syst. Des., 32(1):57–83, 2008.

doi:10.1007/s10703-007-0044-3. Jan Lunze and Fran¸ coise Lamnabhi-Lagarrigue, editors. Handbook of Hybrid Systems Control: Theory, Tools, Applications. Cambridge Univ. Press, 2009. Paulo Tabuada. Verification and Control of Hybrid Systems: A Symbolic Approach. Springer, 2009. Rajeev Alur. Principles of Cyber-Physical Systems. MIT Press, 2015. Laurent Doyen, Goran Frehse, George J. Pappas, and Andr´ e Platzer. Verification of hybrid systems. In Edmund M. Clarke, Thomas A. Henzinger, and Helmut Veith, editors, Handbook of Model Checking, chapter 28. Springer, 2017.

Andr´ e Platzer (CMU) Logic & Proofs for Cyber-Physical Systems IJCAR’16 2 / 2

Proceedings of the 27th Annual ACM/IEEE Symposium on Logic in Computer Science, LICS 2012, Dubrovnik, Croatia, June 25–28, 2012. IEEE, 2012.

Andr´ e Platzer (CMU) Logic & Proofs for Cyber-Physical Systems IJCAR’16 2 / 2